NOTE! uses become_root() to gain correct priviages on systems
that lack a native getgroups() call (uses initgroups and getgroups)
*/
-int getgroups_user(const char *user, gid_t **groups)
+BOOL getgroups_user(const char *user, gid_t **ret_groups, int *ngroups)
{
struct passwd *pwd;
int ngrp, max_grp;
+ gid_t *temp_groups;
+ gid_t *groups;
+ int i;
pwd = getpwnam_alloc(user);
- if (!pwd) return -1;
+ if (!pwd) return False;
max_grp = groups_max();
- (*groups) = (gid_t *)malloc(sizeof(gid_t) * max_grp);
- if (! *groups) {
+ temp_groups = (gid_t *)malloc(sizeof(gid_t) * max_grp);
+ if (! temp_groups) {
passwd_free(&pwd);
- errno = ENOMEM;
- return -1;
+ return False;
}
- ngrp = sys_getgrouplist(user, pwd->pw_gid, *groups, &max_grp);
- if (ngrp <= 0) {
- passwd_free(&pwd);
- free(*groups);
- return ngrp;
+ if (sys_getgrouplist(user, pwd->pw_gid, temp_groups, &max_grp) == -1) {
+
+ gid_t *groups_tmp;
+
+ groups_tmp = Realloc(temp_groups, sizeof(gid_t) * max_grp);
+
+ if (!groups_tmp) {
+ SAFE_FREE(temp_groups);
+ return False;
+ }
+ temp_groups = groups_tmp;
+
+ if (sys_getgrouplist(user, pwd->pw_gid, temp_groups, &max_grp) == -1) {
+ DEBUG(0, ("get_user_groups: failed to get the unix group list\n"));
+ passwd_free(&pwd);
+ SAFE_FREE(temp_groups);
+ return False;
+ }
}
+
+ ngrp = 0;
+ groups = NULL;
+
+ /* Add in primary group first */
+ add_gid_to_array_unique(pwd->pw_gid, &groups, &ngrp);
passwd_free(&pwd);
- return ngrp;
+
+ for (i=0; i<max_grp; i++)
+ add_gid_to_array_unique(temp_groups[i], &groups, &ngrp);
+
+ *ngroups = ngrp;
+ *ret_groups = groups;
+ SAFE_FREE(temp_groups);
+ return True;
}
+
* RPC Pipe client / server routines
* Copyright (C) Andrew Tridgell 1992-1998
* Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
- * Copyright (C) Paul Ashton 1997-1998.
+ * Copyright (C) Paul Ashton 1997-1998,
+ * Copyright (C) Andrew Bartlett 2004.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
BOOL ret;
BOOL winbind_groups_exist;
- /*
- * this code is far from perfect.
- * first it enumerates the full /etc/group and that can be slow.
- * second, it works only with users' SIDs
- * whereas the day we support nested groups, it will have to
- * support both users's SIDs and domain groups' SIDs
- *
- * having our own ldap backend would be so much faster !
- * we're far from that, but hope one day ;-) JFM.
- */
-
*prids=NULL;
*numgroups=0;
return NT_STATUS_UNSUCCESSFUL;
}
- become_root();
- /* on some systems this must run as root */
- num_groups = getgroups_user(user_name, &groups);
- unbecome_root();
- if (num_groups == -1) {
+ ret = getgroups_user(user_name, &groups, &num_groups);
+ if (!ret) {
/* this should never happen */
DEBUG(2,("get_alias_user_groups: getgroups_user failed\n"));
pdb_free_sam(&sam_pass);
********************************************************************/
BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
{
- GROUP_MAP *map=NULL;
- int i, num, num_entries, cur_gid=0;
- struct group *grp;
- DOM_GID *gids;
- fstring user_name;
- uint32 grid;
- uint32 tmp_rid;
- BOOL ret;
-
- *numgroups= 0;
-
- fstrcpy(user_name, pdb_get_username(sam_pass));
- grid=pdb_get_group_rid(sam_pass);
- DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
+ const char *username = pdb_get_username(sam_pass);
+ int n_unix_groups;
+ int i,j;
+ gid_t *unix_groups;
- /* we must wrap this is become/unbecome root for ldap backends */
+ *numgroups = 0;
+ *pgids = NULL;
- become_root();
- /* first get the list of the domain groups */
- ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
-
- unbecome_root();
-
- /* end wrapper for group enumeration */
-
-
- if ( !ret )
+ if (!getgroups_user(username, &unix_groups, &n_unix_groups)) {
return False;
-
- DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
-
-
- /*
- * alloc memory. In the worse case, we alloc memory for nothing.
- * but I prefer to alloc for nothing
- * than reallocing everytime.
- */
- gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) * num_entries);
+ }
- /* for each group, check if the user is a member of. Only include groups
- from this domain */
+ /* now setup the space for storing the SIDS */
- for(i=0; i<num_entries; i++) {
+ if (n_unix_groups > 0) {
- if ( !sid_check_is_in_our_domain(&map[i].sid) ) {
- DEBUG(10,("get_domain_user_groups: skipping check of %s since it is not in our domain\n",
- map[i].nt_name));
- continue;
- }
-
- if ((grp=getgrgid(map[i].gid)) == NULL) {
- /* very weird !!! */
- DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid));
- continue;
- }
-
- for(num=0; grp->gr_mem[num]!=NULL; num++) {
- if(strcmp(grp->gr_mem[num], user_name)==0) {
- /* we found the user, add the group to the list */
- sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
- gids[cur_gid].attr=7;
- DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
- cur_gid++;
- break;
- }
+ *pgids = talloc(ctx, sizeof(DOM_GID) * n_unix_groups);
+
+ if (!*pgids) {
+ DEBUG(0, ("get_user_group: malloc() failed for DOM_GID list!\n"));
+ SAFE_FREE(unix_groups);
+ return False;
}
}
- /* we have checked the groups */
- /* we must now check the gid of the user or the primary group rid, that's the same */
- for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++)
- ;
-
- /* the user's gid is already there */
- if (i!=cur_gid) {
- /*
- * the primary group of the user but be the first one in the list
- * don't ask ! JFM.
- */
- gids[i].g_rid=gids[0].g_rid;
- gids[0].g_rid=grid;
- goto done;
- }
-
- for(i=0; i<num_entries; i++) {
- sid_peek_rid(&map[i].sid, &tmp_rid);
- if (tmp_rid==grid) {
- /*
- * the primary group of the user but be the first one in the list
- * don't ask ! JFM.
- */
- gids[cur_gid].g_rid=gids[0].g_rid;
- gids[0].g_rid=tmp_rid;
- gids[cur_gid].attr=7;
- DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name));
- cur_gid++;
- goto done; /* leave the loop early */
+ become_root();
+ j = 0;
+ for (i = 0; i < n_unix_groups; i++) {
+ GROUP_MAP map;
+ uint32 rid;
+
+ if (!pdb_getgrgid(&map, unix_groups[i])) {
+ DEBUG(3, ("get_user_groups: failed to convert gid %ld to a domain group!\n",
+ (long int)unix_groups[i+1]));
+ if (i == 0) {
+ DEBUG(1,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", username));
+ DEBUGADD(1,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
+ }
+ } else if ((map.sid_name_use == SID_NAME_DOM_GRP)
+ && sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)) {
+ (*pgids)[j].attr=7;
+ (*pgids)[j].g_rid=rid;
+ j++;
}
}
+ unbecome_root();
- DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name));
- DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
-
+ *numgroups = j;
- done:
- *pgids=gids;
- *numgroups=cur_gid;
- SAFE_FREE(map);
+ SAFE_FREE(unix_groups);
return True;
}
projects / thirdparty / samba.git / commitdiff
